aboutsummaryrefslogtreecommitdiffstats
path: root/package/network
Commit message (Collapse)AuthorAgeFilesLines
* dnsmasq: backport missing braces fixJo-Philipp Wich2019-01-302-3/+6
| | | | | | | | Fold upstream fix d2d4990 ("Fix missing braces in 8eac67c0a15b673c8d27002c248651b308093e4") into the already existing static lease fix patch. Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* dnsmasq: backport upstream static lease fixJo-Philipp Wich2019-01-302-1/+55
| | | | | | | Backport and rebase upstream fix 18eac67 ("Fix entries in /etc/hosts disabling static leases.") Signed-off-by: Jo-Philipp Wich <jo@mein.io>
* wireguard: bump to 0.0.20190123Jason A. Donenfeld2019-01-301-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * tools: curve25519: handle unaligned loads/stores safely This should fix sporadic crashes with `wg pubkey` on certain architectures. * netlink: auth socket changes against namespace of socket In WireGuard, the underlying UDP socket lives in the namespace where the interface was created and doesn't move if the interface is moved. This allows one to create the interface in some privileged place that has Internet access, and then move it into a container namespace that only has the WireGuard interface for egress. Consider the following situation: 1. Interface created in namespace A. Socket therefore lives in namespace A. 2. Interface moved to namespace B. Socket remains in namespace A. 3. Namespace B now has access to the interface and changes the listen port and/or fwmark of socket. Change is reflected in namespace A. This behavior is arguably _fine_ and perhaps even expected or acceptable. But there's also an argument to be made that B should have A's cred to do so. So, this patch adds a simple ns_capable check. * ratelimiter: build tests with !IPV6 Should reenable building in debug mode for systems without IPv6. * noise: replace getnstimeofday64 with ktime_get_real_ts64 * ratelimiter: totalram_pages is now a function * qemu: enable FP on MIPS Linux 5.0 support. * keygen-html: bring back pure javascript implementation Benoît Viguier has proofs that values will stay well within 2^53. We also have an improved carry function that's much simpler. Probably more constant time than emscripten's 64-bit integers. * contrib: introduce simple highlighter library This is the highlighter library being used in: - https://twitter.com/EdgeSecurity/status/1085294681003454465 - https://twitter.com/EdgeSecurity/status/1081953278248796165 It's included here as a contrib example, so that others can paste it into their own GUI clients for having the same strictly validating highlighting. * netlink: use __kernel_timespec for handshake time This readies us for Y2038. See https://lwn.net/Articles/776435/ for more info. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> (cherry picked from commit bbcd0634f8c9769a336386f8df471231d24a27cc)
* wireguard: Update to snapshot 0.0.20181218Daniel Engberg2019-01-301-2/+2
| | | | | | | Update WireGuard to 0.0.20181218 Signed-off-by: Daniel Engberg <daniel.engberg.lists@pyret.net> (cherry picked from commit 9a37c95431b5401c309b7731920daa964842bdee)
* uhttpd: disable concurrent requests by defaultJo-Philipp Wich2019-01-302-2/+2
| | | | | | | | | In order to avoid straining CPU and memory resources on lower end devices, avoid running multiple CGI requests in parallel. Ref: https://forum.openwrt.org/t/high-load-fix-on-openwrt-luci/29006 Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit c6aa9ff38870a30dbe6da17e4edad6039fe10ddf)
* odhcpd: fix onlink IA check (FS#2060)Hans Dedecker2019-01-161-4/+4
| | | | | | | ae16950 dhcpv6-ia: fix compiler warning c70d5cf dhcpv6-ia: fix onlink IA check (FS#2060) Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* odhcpd: noop to fix PKG_SOURCE_DATEHans Dedecker2019-01-051-1/+1
| | | | Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* odhcpd: filter routes based on prefix_filterHans Dedecker2019-01-041-4/+4
| | | | | | 96694ab router: filter route information option Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
* odhcpd: backport prefix filter/NETEV_ADDR6LIST_CHANGE event fixesHans Dedecker2018-12-311-4/+4
| | | | | | | | d404c7e netlink: fix triggering of NETEV_ADDR6LIST_CHANGE event ae6cf80 config: correctly break string for prefix filter Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (cherry picked from commit 493c1d17663dbfdaf23304994e71280400493fc2)
* dropbear: fix dropbear startup issueHans Dedecker2018-12-212-2/+10
| | | | | | | | | | | | | | | Interface triggers are installed by the dropbear init script in case an interface is configured for a given dropbear uci section. As dropbear is started after network the interface trigger event can be missed during a small window; this is especially the case if lan is specified as interface. Fix this by starting dropbear before network so no interface trigger is missed. As dropbear is started earlier than netifd add a boot function to avoid the usage of network.sh functions as call to such functions will fail at boottime. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> Acked-by: Jo-Philipp Wich <jo@mein.io>
* wireguard: bump to 0.0.20181119Jason A. Donenfeld2018-12-181-2/+2
| | | | | | | | | | | | | | | | | | | | * chacha20,poly1305: fix up for win64 * poly1305: only export neon symbols when in use * poly1305: cleanup leftover debugging changes * crypto: resolve target prefix on buggy kernels * chacha20,poly1305: don't do compiler testing in generator and remove xor helper * crypto: better path resolution and more specific generated .S * poly1305: make frame pointers for auxiliary calls * chacha20,poly1305: do not use xlate This should fix up the various build errors, warnings, and insertion errors introduced by the previous snapshot, where we added some significant refactoring. In short, we're trying to port to using Andy Polyakov's original perlasm files, and this means quite a lot of work to re-do that had stableized in our old .S. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> (backported from 48d8d46d331cd866ad5717cc5b090223a1856a4a)
* wireguard: bump to 0.0.20181115Jason A. Donenfeld2018-12-181-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Zinc no longer ships generated assembly code. Rather, we now bundle in the original perlasm generator for it. The primary purpose of this snapshot is to get testing of this. * Clarify the peer removal logic and make lifetimes more precise. * Use READ_ONCE for is_valid and is_dead. * No need to use atomic when the recounter is mutex protected. * Fix up macros and annotations in allowedips. * Increment drop counter when staged packets are dropped. * Use static constants instead of enums for 64-bit values in selftest. * Mark large constants as ULL in poly1305-donna64. * Fix sparse warnings in allowedips debugging code. * Do not use wg_peer_get_maybe_zero in timer callbacks, since we now can carefully control the lifetime of these functions and ensure they never execute after dropping the last reference. * Cleanup hashing in ratelimiter. * Do not guard timer removals, since del_timer is always okay. * We now check for PM_AUTOSLEEP, which makes the clear*on-suspend decision a bit more general. * Set csum_level to ~0, since the poly1305 authenticator certainly means that no data was modified in transit. * Use CHECKSUM_PARTIAL check for skb_checksum_help instead of skb_checksum_setup check. * wg.8: specify that wg(8) shows runtime info too * wg.8: AllowedIPs isn't actually required * keygen-html: add missing glue macro * wg-quick: android: do not choke on empty allowed-ips Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> (backported from bf52c968e863768494e79731550c62610dd3cf78)
* wireguard: bump to 0.0.20181018Jason A. Donenfeld2018-12-181-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | ba2ab5d version: bump snapshot 5f59c76 tools: wg-quick: wait for interface to disappear on freebsd ac7e7a3 tools: don't fail if a netlink interface dump is inconsistent 8432585 main: get rid of unloaded debug message 139e57c tools: compile on gnu99 d65817c tools: use libc's endianness macro if no compiler macro f985de2 global: give if statements brackets and other cleanups b3a5d8a main: change module description 296d505 device: use textual error labels always 8bde328 allowedips: swap endianness early on a650d49 timers: avoid using control statements in macro db4dd93 allowedips: remove control statement from macro by rewriting 780a597 global: more nits 06b1236 global: rename struct wireguard_ to struct wg_ 205dd46 netlink: do not stuff index into nla type 2c6b57b qemu: kill after 20 minutes 6f2953d compat: look in Kbuild and Makefile since they differ based on arch a93d7e4 create-patch: blacklist instead of whitelist 8d53657 global: prefix functions used in callbacks with wg_ 123f85c compat: don't output for grep errors Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> (backported from 4653818dabe6d2f6e99b483ec256e4374dbb2c77)
* wireguard: bump to 0.0.20181007Kevin Darbyshire-Bryant2018-12-181-2/+2
| | | | | | | | | | | | | | | | 64750c1 version: bump snapshot f11a2b8 global: style nits 4b34b6a crypto: clean up remaining .h->.c 06d9fc8 allowedips: document additional nobs c32b5f9 makefile: do more generic wildcard so as to avoid rename issues 20f48d8 crypto: use BIT(i) & bitmap instead of (bitmap >> i) & 1 b6e09f6 crypto: disable broken implementations in selftests fd50f77 compat: clang cannot handle __builtin_constant_p bddaca7 compat: make asm/simd.h conditional on its existence b4ba33e compat: account for ancient ARM assembler Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> (backported from 3925298f3ca9bcd854571367d98bb6ca07f4e66e)
* wireguard: bump to 0.0.20181006Jason A. Donenfeld2018-12-181-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Account for big-endian 2^26 conversion in Poly1305. * Account for big-endian NEON in Curve25519. * Fix macros in big-endian AArch64 code so that this will actually run there at all. * Prefer if (IS_ENABLED(...)) over ifdef mazes when possible. * Call simd_relax() within any preempt-disabling glue code every once in a while so as not to increase latency if folks pass in super long buffers. * Prefer compiler-defined architecture macros in assembly code, which puts us in closer alignment with upstream CRYPTOGAMS code, and is cleaner. * Non-static symbols are prefixed with wg_ to avoid polluting the global namespace. * Return a bool from simd_relax() indicating whether or not we were rescheduled. * Reflect the proper simd conditions on arm. * Do not reorder lines in Kbuild files for the simd asm-generic addition, since we don't want to cause merge conflicts. * WARN() if the selftests fail in Zinc, since if this is an initcall, it won't block module loading, so we want to be loud. * Document some interdependencies beside include statements. * Add missing static statement to fpu init functions. * Use union in chacha to access state words as a flat matrix, instead of casting a struct to a u8 and hoping all goes well. Then, by passing around that array as a struct for as long as possible, we can update counter[0] instead of state[12] in the generic blocks, which makes it clearer what's happening. * Remove __aligned(32) for chacha20_ctx since we no longer use vmovdqa on x86, and the other implementations do not require that kind of alignment either. * Submit patch to ARM tree for adjusting RiscPC's cflags to be -march=armv3 so that we can build code that uses umull. * Allow CONFIG_ARM[64] to imply [!]CONFIG_64BIT, and use zinc arch config variables consistently throughout. * Document rationale for the 2^26->2^64/32 conversion in code comments. * Convert all of remaining BUG_ON to WARN_ON. * Replace `bxeq lr` with `reteq lr` in ARM assembler to be compatible with old ISAs via the macro in <asm/assembler.h>. * Do not allow WireGuard to be a built-in if IPv6 is a module. * Writeback the base register and reorder multiplications in the NEON x25519 implementation. * Try all combinations of different implementations in selftests, so that potential bugs are more immediately unearthed. * Self tests and SIMD glue code work with #include, which lets the compiler optimize these. Previously these files were .h, because they were included, but a simple grep of the kernel tree shows 259 other files that carry out this same pattern. Only they prefer to instead name the files with a .c instead of a .h, so we now follow the convention. * Support many more platforms in QEMU, especially big endian ones. * Kernels < 3.17 don't have read_cpuid_part, so fix building there. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> (backported from b6658564505e1f9a582ac63bd06cdf4b423818be)
* ethtool: update to 4.19Hans Dedecker2018-12-181-2/+2
| | | | | | | | | | 8a1ad80 Release version 4.19. ecdf295 ethtool: Fix uninitialized variable use at qsfp dump 98c148e ethtool: better syntax for combinations of FEC modes d4b9f3f ethtool: support combinations of FEC modes Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (backported from 5617e138bdaff94587d700def3d74e81c5b2db19)
* ethtool: Update to 4.18Robert Marko2018-12-181-2/+2
| | | | | | | | | | | | Tested on 8devices Jalapeno(ipq40xx) Introduces following changes: Feature: Add support for WAKE_FILTER (WoL using filters) Feature: Add support for action value -2 (wake-up filter) Fix: document WoL filters option also in help message Feature: ixgbe dump strings for security registers Signed-off-by: Robert Marko <robimarko@gmail.com> (backported from a9d73531921ef4755e2cbd6e9e7e36c59b00655c)
* ethtool: Update to 4.17Robert Marko2018-12-181-2/+2
| | | | | | | | | | | | | | | | | Tested on 8devices Jalapeno(ipq40xx) Introduces following changes * Fix: In ethtool.8, remove superfluous and incorrect \ * Fix: fix uninitialized return value * Fix: fix RING_VF assignment * Fix: remove unused global variable * Fix: several fixes in do_gregs() * Fix: correctly free hkey when get_stringset() fails * Fix: remove unreachable code * Fix: fix stack clash in do_get_phy_tunable and do_set_phy_tunable * Feature: Add register dump support for MICROCHIP LAN78xx Signed-off-by: Robert Marko <robimarko@gmail.com> (backported from 4bb2532ec1d4f30ad44037331130daffa687eb3d)
* ethtool: Update to 4.16Rosen Penev2018-12-181-2/+2
| | | | | | | Tested on Turris Omnia (mvebu). Signed-off-by: Rosen Penev <rosenp@gmail.com> (backported from 2737cea0bb117013875ee33916bb4b9deae9ea47)
* Revert "iptables: fix dependency for libip6tc on IPV6"Petr Štetiar2018-12-181-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch reverts commit 2dc1f54b1205094e7c6036cae6275d2c326bad3e as it breaks the build for me on x86-64 if I've IPV6 support disabled. Same config builds fine on `openwrt-18.06` branch at 55d078b2. $ grep IPV6 .config # CONFIG_KERNEL_IPV6 is not set # CONFIG_IPV6 is not set Build errors out on: Package libiptc is missing dependencies for the following libraries: libip6tc.so.0 Looking at iptables-1.6.2/libiptc/Makefile.am: libiptc_la_LIBADD = libip4tc.la libip6tc.la and to iptables-1.6.2/libiptc/libiptc.pc.in: Requires: libip4tc libip6tc It seems that libiptc needs v4/v6 libs, so v6 isn't optional. Cc: Rosy Song <rosysong@rosinson.com> Signed-off-by: Petr Štetiar <ynezz@true.cz> (backported from 1b4b942bcef8638a040788ab9ae94c66e38fd960)
* uqmi: update PKG_RELEASE versionFlorian Eckert2018-12-181-1/+1
| | | | | | | update PKG_RELEASE Signed-off-by: Florian Eckert <fe@dev.tdt.de> (backported from 4cabda8b7ddb0efea23e2aa044ea8bf18e03d199)
* uqmi: stop proto handler if verify pin count is not 3Florian Eckert2018-12-181-0/+7
| | | | | | | | | Check pin count value from pin status and stop verification the pin if the value is less then 3. This should prevent the proto-handler to lock the SIM. If SIM is locked then the PUK is needed. Signed-off-by: Florian Eckert <fe@dev.tdt.de> (backported from 0c9d06b5b243334123eafaf2e26a15ec2757767e)
* uqmi: evaluate pin-status output in qmi_setup functionFlorian Eckert2018-12-181-7/+49
| | | | | | | | | | | | | | | | | | | | | | | Load the json output from uqmi --get-pin-status command and evaluate the "pin1_status" value. The following uqmi "pin1_status" values are evaluated: - disabled Do not verify PIN because SIM verification is disabled on this SIM - blocked Stop qmi_setup because SIM is locked and a PUK is required - not_verified SIM is not yet verified. Do a uqmi --verify-pin1 command if a SIM is specified - verified: Do not verify the PIN because this was already done before Signed-off-by: Florian Eckert <fe@dev.tdt.de> (backported from 4b80bd878d0fcb520f4811097900ebb5478a74fd)
* uqmi: do not block proto handler if SIM is uninitializedFlorian Eckert2018-12-181-1/+9
| | | | | | | | | QMI proto setup-handler will wait forever if SIM does not get initialized. To fix this stop polling pin status and notify netifd. Netifd will generate then a "ifup-failed" ACTION. Signed-off-by: Florian Eckert <fe@dev.tdt.de> (backported from f171a86d064ac3fcfff05d286becae87c2e26b5f)
* uqmi: do not block proto handler if modem is unable to registrateFlorian Eckert2018-12-181-1/+10
| | | | | | | | | QMI proto setup-handler will wait forever if it is unable to registrate to the mobile network. To fix this stop polling network registration status and notify netifd. Netifd will generate then a "ifup-failed" ACTION. Signed-off-by: Florian Eckert <fe@dev.tdt.de> (backported from dec1bfa0f48d43174921d1a1357a4842f9ba0cf6)
* uqmi: fix variable initilization for timeout handlingFlorian Eckert2018-12-181-0/+2
| | | | | | | Also add logging output for SIM initilization. Signed-off-by: Florian Eckert <fe@dev.tdt.de> (backported from 71865200c95d5ccebe01980c88ee44a15888bcaf)
* uqmi: add timeout option valueFlorian Eckert2018-12-181-2/+5
| | | | | | | | | | | | This value will be used for now during following situations: * Ask the sim with the uqmi --get-pin-status command. * Wait for network registration with the uqmi --get-serving-system command. This two commands wait forever in a while loop. Add a timeout to stop waiting and so inform netifd. Signed-off-by: Florian Eckert <fe@dev.tdt.de> (backported from dee93def394c9bf10d2cc3eb64d9e190ca461a67)
* uqmi: redirect uqmi commands output to /dev/nullFlorian Eckert2018-12-181-12/+12
| | | | | | | | Move uqmi std and error output on commands without using them to /dev/null. This will remove useless outputs in the syslog. Signed-off-by: Florian Eckert <fe@dev.tdt.de> (backported from 2d57aa9c4c852e847e66a3bb5c775910d0cb8d77)
* uqmi: fix indentingFlorian Eckert2018-12-181-16/+16
| | | | | | | fix indenting Signed-off-by: Florian Eckert <fe@dev.tdt.de> (backported from 692c6d9a5dbb955d00516b465271fd8a053af206)
* gre: make encaplimit support configurableHans Dedecker2018-12-182-2/+4
| | | | | | | | | | | | Make inclusion of the destination option header containing the tunnel encapsulation limit configurable for IPv6 GRE packets. Setting the uci parameter encaplimit to ignore; allows to disable the insertion of the destination option header in the IPv6 GRE packets. Otherwise the tunnel encapsulation limit value can be set to a value from 0 till 255 by setting the encaplimit uci parameter accordingly. Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (backported from 3d015e971f5e3f0df8e8ab149fda1270c5c72507)
* odhcpd: update to latest git HEAD (FS#1853)Hans Dedecker2018-12-181-4/+4
| | | | | | | | | 57f639e (HEAD -> master, origin/master, origin/HEAD) odhcpd: make DHCPv6/RA/NDP support optional 402c274 dhcpv6: check return code of dhcpv6_ia_init() ee7472a router: don't leak RA message in relay mode (FS#1853) Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (backported from af78e90d4cdb3c944d9c4f3d4d4648dd67886c4d)
* iw: strip a few more non-essential features from iw-tinyFelix Fietkau2018-12-181-1/+46
| | | | | Signed-off-by: Felix Fietkau <nbd@nbd.name> (backported from 518fb345e110f7028912211ebf75af92c7c10809)
* iw: fix filtering linked object files for iw-tinyFelix Fietkau2018-12-181-1/+1
| | | | | | | It was broken by the recent commit that added iw-full Signed-off-by: Felix Fietkau <nbd@nbd.name> (backported from 7999282f7f1a1ab8a965f4b5efe31a4209bac0a6)
* iw: add iw-full package without size reduction hacksFelix Fietkau2018-12-182-20/+43
| | | | | Signed-off-by: Felix Fietkau <nbd@nbd.name> (backported from 8c647e873f9adf4527e61684458075f8d2b61a97)
* ipset: update to 6.38Syrone Wong2018-12-182-27/+2
| | | | | | | dropped already upstream patch Signed-off-by: Syrone Wong <wong.syrone@gmail.com> (backported from 68f109609b613b38bb3b2e6e82a9c04ae8bd011f)
* odhcpd-ipv6only: fix dependency for IPV6Rosy Song2018-12-181-1/+2
| | | | | Signed-off-by: Rosy Song <rosysong@rosinson.com> (backported from 456df06071f54d3c799725227d1ac77afbe61891)
* netifd: update to latest git HEADHans Dedecker2018-12-181-3/+3
| | | | | | | | | | 4b83102 treewide: switch to C-code style comments 70506bf treewide: make some functions static d9872db interface: fix removal of dynamic interfaces 2f7ef7d interface: rework code to get rid of interface_set_dynamic Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (backported from 8e409f476b358111113353c3d3adfcff113674b8)
* netifd: update to latest git HEADHans Dedecker2018-12-181-3/+3
| | | | | | | | 841b5d1 system-linux: enable by default ignore encaplimit for grev6 tunnels 125cbee system-linux: fix a typo in gre tunnel data parsing logic Signed-off-by: Hans Dedecker <dedeckeh@gmail.com> (backported from db6f9d5598a353c94578bd76dbef92dd78f3ae63)
* hostapd: expose device taxonomy signature via ubusFelix Fietkau2018-12-181-0/+6
| | | | | Signed-off-by: Felix Fietkau <nbd@nbd.name> (backported from 7d8681ccb99730ca0b35a5c341b468a86cadbf35)
* hostapd: add support for client taxonomy in the full configFelix Fietkau2018-12-182-5/+29
| | | | | | | | This can be used to fingerprint clients to try to identify the exact model Signed-off-by: Felix Fietkau <nbd@nbd.name> (backported from 23c1827e341fce302ba2841ecabeeb3f95e21d68)
* hostapd: fix MAC filter related log spamJo-Philipp Wich2018-12-184-11/+78
| | | | | | | | | Backport two upstream fixes to address overly verbose logging of MAC ACL rejection messages. Fixes: FS#1468 Signed-off-by: Jo-Philipp Wich <jo@mein.io> (backported from 3e633bb3709611d79965fab667e3239fd3bde151)
* wireguard: bump to 0.0.20180925Kevin Darbyshire-Bryant2018-12-181-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 33523a5 version: bump snapshot 0759480 curve25519-hacl64: reduce stack usage under KASAN b9ab0fc chacha20: add bounds checking to selftests 2e99d19 chacha20-mips32r2: reduce stack and branches in loop, refactor jumptable handling d6ac367 qemu: bump musl 28d8b7e crypto: make constant naming scheme consistent 56c4ea9 hchacha20: keep in native endian in words 0c3c0bc chacha20-arm: remove unused preambles 3dcd246 chacha20-arm: updated scalar code from Andy 6b9d5ca poly1305-mips64: remove useless preprocessor error 3ff3990 crypto-arm: rework KERNEL_MODE_NEON handling again dd2f91e crypto: flatten out makefile 67a3cfb curve25519-fiat32: work around m68k compiler stack frame bug 9aa2943 allowedips: work around kasan stack frame bug in selftest 317b318 chacha20-arm: use new scalar implementation b715e3b crypto-arm: rework KERNEL_MODE_NEON handling 77b07d9 global: reduce stack frame size ddc2bd6 chacha20: add chunked selftest and test sliding alignments and hchacha20 2eead02 chacha20-mips32r2: reduce jumptable entry size and stack usage a0ac620 chacha20-mips32r2: use simpler calling convention 09247c0 chacha20-arm: go with Ard's version to optimize for Cortex-A7 a329e0a chacha20-mips32r2: remove reorder directives 3b22533 chacha20-mips32r2: fix typo to allow reorder again d4ac6bb poly1305-mips32r2: remove all reorder directives 197a30c global: put SPDX identifier on its own line 305806d ratelimiter: disable selftest with KASAN 4e06236 crypto: do not waste space on selftest items 5e0fd08 netlink: reverse my christmas trees a61ea8b crypto: explicitly dual license b161aff poly1305: account for simd being toggled off midway 470a0c5 allowedips: change from BUG_ON to WARN_ON aa9e090 chacha20: prefer crypto_xor_cpy to avoid memmove 1b0adf5 poly1305: no need to trick gcc 8.1 a849803 blake2s: simplify final function 073f3d1 poly1305: better module description Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> (backported from 37961f12baa756caf5d735fdafff46205d21a93d)
* wireguard: bump to 0.0.20180918Jason A. Donenfeld2018-12-181-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * blake2s-x86_64: fix whitespace errors * crypto: do not use compound literals in selftests * crypto: make sure UML is properly disabled * kconfig: make NEON depend on CPU_V7 * poly1305: rename finish to final * chacha20: add constant for words in block * curve25519-x86_64: remove useless define * poly1305: precompute 5*r in init instead of blocks * chacha20-arm: swap scalar and neon functions * simd: add __must_check annotation * poly1305: do not require simd context for arch * chacha20-x86_64: cascade down implementations * crypto: pass simd by reference * chacha20-x86_64: don't activate simd for small blocks * poly1305-x86_64: don't activate simd for small blocks * crypto: do not use -include trick * crypto: turn Zinc into individual modules * chacha20poly1305: relax simd between sg chunks * chacha20-x86_64: more limited cascade * crypto: allow for disabling simd in zinc modules * poly1305-x86_64: show full struct for state * chacha20-x86_64: use correct cut off for avx512-vl * curve25519-arm: only compile if symbols will be used * chacha20poly1305: add __init to selftest helper functions * chacha20: add independent self test Tons of improvements all around the board to our cryptography library, including some performance boosts with how we handle SIMD for small packets. * send/receive: reduce number of sg entries This quells a powerpc stack usage warning. * global: remove non-essential inline annotations We now allow the compiler to determine whether or not to inline certain functions, while still manually choosing so for a few performance-critical sections. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> (backported from f07a94da50b8a31928cb34c19695747e0df74beb)
* wireguard: bump to 0.0.20180910Jason A. Donenfeld2018-12-181-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | * curve25519: arm: do not modify sp directly * compat: support neon.h on old kernels * compat: arch-namespace certain includes * compat: move simd.h from crypto to compat since it's going upstream This fixes a decent amount of compat breakage and thumb2-mode breakage introduced by our move to Zinc. * crypto: use CRYPTOGAMS license Rather than using code from OpenSSL, use code directly from AndyP. * poly1305: rewrite self tests from scratch * poly1305: switch to donna This makes our C Poly1305 implementation a bit more intensely tested and also faster, especially on 64-bit systems. It also sets the stage for moving to a HACL* implementation when that's ready. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> (backported from a54f492d0cf1f9bff1dd449961441e789c724995)
* wireguard: bump to 0.0.20180904Jason A. Donenfeld2018-12-181-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * Kconfig: use new-style help marker * global: run through clang-format * uapi: reformat * global: satisfy check_patch.pl errors * global: prefer sizeof(*pointer) when possible * global: always find OOM unlikely Tons of style cleanups. * crypto: use unaligned helpers We now avoid unaligned accesses for generic users of the crypto API. * crypto: import zinc More style cleanups and a rearrangement of the crypto routines to fit how this is going to work upstream. This required some fairly big changes to our build system, so there may be some build errors we'll have to address in subsequent snapshots. * compat: rng_is_initialized made it into 4.19 We therefore don't need it in the compat layer anymore. * curve25519-hacl64: use formally verified C for comparisons The previous code had been proved in Z3, but this new code from upstream KreMLin is directly generated from the F*, which is preferable. The assembly generated is identical. * curve25519-x86_64: let the compiler decide when/how to load constants Small performance boost. * curve25519-arm: reformat * curve25519-arm: cleanups from lkml * curve25519-arm: add spaces after commas * curve25519-arm: use ordinary prolog and epilogue * curve25519-arm: do not waste 32 bytes of stack * curve25519-arm: prefix immediates with # This incorporates ASM nits from upstream review. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> (backported from 4ccbe7de6cb20766fd309bc3824c7591e33b0b96)
* wireguard: bump to 0.0.20180809Jason A. Donenfeld2018-12-181-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * send: switch handshake stamp to an atomic Rather than abusing the handshake lock, we're much better off just using a boring atomic64 for this. It's simpler and performs better. Also, while we're at it, we set the handshake stamp both before and after the calculations, in case the calculations block for a really long time waiting for the RNG to initialize. * compat: better atomic acquire/release backport This should fix compilation and correctness on several platforms. * crypto: move simd context to specific type This was a suggestion from Andy Lutomirski on LKML. * chacha20poly1305: selftest: use arrays for test vectors We no longer have lines so long that they're rejected by SMTP servers. * qemu: add easy git harness This makes it a bit easier to use our qemu harness for testing our mainline integration tree. * curve25519-x86_64: avoid use of r12 This causes problems with RAP and KERNEXEC for PaX, as r12 is a reserved register. * chacha20: use memmove in case buffers overlap A small correctness fix that we never actually hit in WireGuard but is important especially for moving this into a general purpose library. * curve25519-hacl64: simplify u64_eq_mask * curve25519-hacl64: correct u64_gte_mask Two bitmath fixes from Samuel, which come complete with a z3 script proving their correctness. * timers: include header in right file This fixes compilation in some environments. * netlink: don't start over iteration on multipart non-first allowedips Matt Layher found a bug where a netlink dump of peers would never terminate in some circumstances, causing wg(8) to keep trying forever. We now have a fix as well as a unit test to mitigate this, and we'll be looking to create a fuzzer out of Matt's nice library. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> (backported from 42dc0e25947a77b02ea18fa0e5fa04382250d5db)
* wireguard: bump to 0.0.20180802Jason A. Donenfeld2018-12-181-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changelog taken from the version announcement > == Changes == > > * chacha20poly1305: selftest: split up test vector constants > > The test vectors are encoded as long strings -- really long strings -- and > apparently RFC821 doesn't like lines longer than 998. > https://cr.yp.to/smtp/message.html > > * queueing: keep reference to peer after setting atomic state bit > > This fixes a regression introduced when preparing the LKML submission. > > * allowedips: prevent double read in kref > * allowedips: avoid window of disappeared peer > * hashtables: document immediate zeroing semantics > * peer: ensure resources are freed when creation fails > * queueing: document double-adding and reference conditions > * queueing: ensure strictly ordered loads and stores > * cookie: returned keypair might disappear if rcu lock not held > * noise: free peer references on failure > * peer: ensure destruction doesn't race > > Various fixes, as well as lots of code comment documentation, for a > small variety of the less obvious aspects of object lifecycles, > focused on correctness. > > * allowedips: free root inside of RCU callback > * allowedips: use different macro names so as to avoid confusion > > These incorporate two suggestions from LKML. > > This snapshot contains commits from: Jason A. Donenfeld and Jann Horn. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com> (backported from 68e2ebe64a0f27eb25c0e56ef1125ce1318e2279)
* iptables: fix dependency for libip6tc on IPV6Rosy Song2018-12-181-2/+2
| | | | | Signed-off-by: Rosy Song <rosysong@rosinson.com> (backported from 2dc1f54b1205094e7c6036cae6275d2c326bad3e)
* netifd: do not validate relevant section when ipv6 is not supportedRosy Song2018-12-181-2/+2
| | | | | Signed-off-by: Rosy Song <rosysong@rosinson.com> (backported from a6add47869972139cef9106aecfddbac0b3f64f4)
* dante: disable sched_getscheduler() - not implemented in muslDavid Yang2018-12-181-3/+4
| | | | | | | | | | | | | | | | | | musl doesn't come with an valid implementation of `sched_getscheduler()`; it simply returns -ENOSYS for it. Without this option (and compile dante with `sched_getscheduler()` enabled), you will get error: serverinit(): sched_getscheduler(2): failed to retrieve current cpuscheduling policy: Function not implemented and dante won't start at all. Ref: http://lists.alpinelinux.org/alpine-devel/3932.html Ref: http://lists.alpinelinux.org/alpine-devel/3936.html Signed-off-by: David Yang <mmyangfl@gmail.com> [slightly reword commit message] Signed-off-by: Jo-Philipp Wich <jo@mein.io> (backported from aaf46a8fe23eca959164c1681ab3a37c6e746b05)